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PRELIMINARY AMENDMENT 

Honorable Commissioner of Patents and Trademarks 
Washington, DC 20231 

Sir: 

Prior to examination of the above-identified application, please amend 
the application as follows: 
IN THE SPECIFICATION: 

Page 1 , after the title and before the first paragraph, insert the following 
heading: 

— Field of the Invention —: 

Page 1 , line 6, insert the following title before the second paragraph at the 
left-hand margin: 
- Background of the Invention - ; 

Page 1 , at line 22, before the paragraph beginning "One object...", insert 
the following heading at the left hand margin: 
- Summary of the Invention - ; 


Examiner: 

Group Art Unit: 

Corres. To FR 99/11716 
Filed September 13, 1999 
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-- Summary of the Invention -- ; 

Page 3, at line 9 and before the paragraph beginning "Other 
characteristics...", insert the following heading at the left hand margin: 
— Brief Description of the Drawings-- ; 

Page 3, at line 17, before the paragraph beginning "Fig. 1...", insert the 
following heading at the left-hand margin: 
- Description of the Preferred Embodiments - ; 

Page 6, line 25, after "table", delete "7" and substitute -(7)-; 

IN THE CLAIMS: 

Please cancel claims 1- 7 in their entirety and without prejudice and substitute 
the following new claims: 

-8. A high-performance specification resolution method for use in detecting 
attacks against computer systems comprising: 

a) formulating audit conditions to be detected using non-limiting specification 
formulas expressing fraudulent entry or attack patterns or abnormal operations, to be 
verified by examining the records of a log file of the computer system; 

b) expanding said formulas into subformulas; 

c) scanning by an interpreter, and generating, for each expanded formula in 
each record, Horn clauses to resolve in order to detect whether or not the formula is 
valid in the record, the Horn clauses expressing the implications resolvent of the 
subformulas for each record scanned, in positive clauses, i.e. counting only a 
positive literal and in non-positive clauses, i.e. counting at least one negative literal, 
which negative literals form the negative part of the clause; 
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13 d) storing positive Hprn clauses in a stack of worked subformulas, and storing, 

14 in a table comprising a representation, implicating subformuia(s) constituting the 

15 negative part of the clause and the link with the implicated subformula(s) constituting 

16 the positive part of the clause, and storing in a counter the number of formulas or 

17 subformulas present in the negative part of the clause for each implicated 

18 subformula; 

19 e) resolving the table based on each positive clause encountered, so as to 

20 generate either an output file or an action of the computer system; 

21 f) iterating steps b) through e) until the scanning of all the records in the log 

22 file is complete. 

1 9 A method according to claim 8, characterized in that a temporal logic is 

2 used for the formulation of the specification. 

1 1 0. A method according to claim 8, characterized in that the table is a 

2 matrix and is indexed in columns by subscripts of the formulas appearing in the 

3 negative part of the Horn clauses, and the lines are the Horn clauses exactly. 

1 1 1 . A method according to claim 8, characterized in that the table is 

2 preferably represented in the form of a sparse matrix, the columns being represented 

3 by means of chained lists and the implicit lines. 


TYSO01 9119658v40|000001-#BRCH7l09\05\00 


3 


US 3856DYADE-T21 53-906593 

1 12. A method according to claim 8, characterized in that a step for 

2 optimizing the expansion of the formulas is obtained through a hash table to ensure 

3 that the same formula is not expanded more than once in each record. 

1 1 3. A method according to claim 9, characterized in that a step for 

2 optimizing the expansion of the formulas is obtained through a hash table to ensure 

3 that the same formula is not expanded more than once in each record. 

1 14. A method according to claim 8, characterized in that the log file is 

2 scanned only once from beginning to end. 

1 15. A computer system comprising storage means and means for 

2 executing programs for implementing a high performance resolution method for 

3 deleting attacks against the system wherein the method: 

\ 4 a) formulates audit conditions to be detected using non-limiting specification 

5 formulas expressing fraudulent entry or attack patterns or abnormal operations, to be 

6 verified by examining the records of a log file of the computer system; 

7 b) expands said formulas into subformulas; 

8 c) scans by an interpreter, and generates, for each expanded formula in each 

9 record, Horn clauses to resolve in order to detect whether or not the formula is valid 

10 in the record, the Horn clauses expressing the implications resolvent of the 

11 subformulas for each record scanned, in positive clauses, i.e. counting only a 

12 positive literal and in non-positive clauses, i.e. counting at least one negative literal, 

13 which negative literals form the negative part of the clause; 
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14 d) stores posijive Hqrn clauses in a stack of worked subformulas, and storing, 

15 in a table comprising a representation, implicating subformula(s) constituting the 

16 negative part of the clause and the link with the implicated subformula(s) constituting 

17 the positive part of the clause, and stores in a counter the number of formulas or 

18 subformulas present in the negative part of the clause for each implicated 

19 subformula; and 

20 e) resolves the table based on each positive clause encountered, so as to 

21 generate either an output file or an action of the computer system; 

22 - an adaptor for translating information from a log file formulated in the specific 

23 language of the machine into a language comprehensible to an interpreter; 

24 - the interpreter receiving the information from the adapter and receiving the 

25 formulation of the specification in a temporal logic in a specification formula in order 

26 to expand said formula and fill in the table and the stack of worked subformulas 

27 stored in a memory of the computer system and resulting from the scanning of the 

28 computer system's log file; 

29 - a clause processing algorithm executed by the computer system, for 

30 resolving the Horn clauses using the information from the table and the stack of 

31 worked subformulas, said clause processing algorithm generating an output file or 

32 generating an action. 

1 16. A computer system as defined in claim 15 wherein the temporal logic is 

2 used for formulation of the specification. 
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1 17. A computer system as defined in claim 15, wherein the table is a matrix 

2 and is indexed in columns by subscripts of the formulas appearing in the negative 

3 part of the Horn clauses, and the lines are the Horn clauses exactly. 

1 18. A computer system as defined in claim 15, wherein the table is 

2 preferably represented in the form of a sparse matrix, the columns being represented 

3 by means of chained lists and the implicit lines. 

1 19. A computer system as defined in claim 15 including a hash table to 

2 ensure that the same formula is not expanded more than once in each record. 

1 20. A computer system as defined in claim 16 including a hash table to 

2 ensure that the same formula is not expanded more than once in each record. 

1 21 . A computer system as defined in claim 15 including means for 

2 scanning the log file only once from beginning to end.-- 
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IN THE ABSTRACT: 


Please cancel the Abstract at page 20 and the last line "Fig. 1", and 
substitute the following new Abstract: 
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1 -ABSTRACT 

2 The present invention relates to a method and device for model 

3 resolution and its use for detecting attacks against computer systems. The 

4 device comprises adapter software for translating the information from the log 

5 file, formulated in the specific language of the machine, into a language 

6 understandable by the interpreter, an interpreter receiving the information 

7 from the adapter and receiving the formulation of the specification in the 

8 temporal logic in a specification formula in order to expand this formula and fill 

9 in the table and the stack of worked subformulas described above resulting 

10 from the scanning of the machine's log file, and a clause processing algorithm 

1 1 for resolving the Horn clauses using the information from the table and the 

12 stack of worked subformulas, this clause processing algorithm generating an 

13 output file or generating an action.- 
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REMARKS 


This Preliminary Amendment is made to eliminate informalities in the 
specification, claims and abstract resulting from a literal translation of the 
French text, to eliminate the use of multiple dependent claims, and to insert 
headings to conform the application to U.S. practice. 

The present application is believed to be in condition for examination, 
which action is earnestly solicited. 


Respectfully submitted, 


Date September IS , 2000 



1751 Pinnacle Drive, Suite 500 
McLean, Virginia 22102-3833 
Telephone (703) 903-9000 
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METHOD AND DEVICE FOR MODEL RESOLUTION AND ITS USE FOR 
DETECTING ATTACKS AGAINST COMPUTER SYSTEMS 


The present invention relates to a method and device for model resolution and its use 
5 for detecting attacks against computer systems. 

Secure computer systems can be subject to attacks or attempts at fraudulent entry. In 
general, one tries to ward off these attacks by establishing log files, for example system log 
files or network log files, and by running scans on these files for detecting a malfunction or 
an intrusion. The systems that perform the auditing of log files generally rely on a 
1 0 complicated method that poses problems in the writing, and moreover, the resulting audit is 
difficult to read. Furthermore, when the intrusion occurs in several successive non- 
concomitant stages, the system may very well not detect it. In addition, the writing of the 
audit conditions is not very flexible, not very modifiable, and poses modularity problems. 
Thus, in most rule-based systems, it is necessary to describe the audit conditions in the form 
15 of programs describing the activation of rules conditioned by events; for example, in order to 
describe an audit condition that specifies a step A, followed a short time later by B, followed 
a short time later by c, it is necessary to describe queuing rules for step A, which if successful 
must activate queuing rules for step B, which if successful must activate queuing rules for 
step C. This way of writing the sequence A, B, C is tedious, and results in errors that are hard 
20 to detect with a simple reading. Furthermore, certain known systems require the log files to 
be scanned several times. 

One object of the invention is to offer a high-performance specification resolution 
method. 

This object is achieved through the fact that the high-performance specification 
25 resolution method comprises: 

a) a step for formulating the audit conditions one wishes to detect using specification 
formulas expressing fraudulent entry or attack patterns or even abnormal operations, this 
being non-limiting, to be verified by examining the records of the computer system's log file; 

b) a step for expanding formulas into subformulas; 

30 c) a step for scanning by an interpreter, which consists of generating, for each 

expanded formula in each record, Horn clauses to resolve in order to detect whether or not the 
formula is valid in this record, the Horn clauses expressing the implications resolvent of the 
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subformulas for each record scanned, in positive clauses, i.e. counting only a positive literal, 
and in non-positive clauses, i.e. counting at least one negative literal, which negative literals 
form the negative part of the clause; 

d) a step for storing the positive Horn clauses in a stack of worked subformulas, and a 
5 step for storing, in a table comprising a representation, the implicating subformula(s) 

constituting the negative part of the clause and the link with the implicated subformula(s) 
constituting the positive part of the clause, and storing in a counter the number of formulas or 
subformulas present in the negative part of the clause for each implicated subformula; 

e) a step for resolving the table based on each positive clause encountered, so as to 
1 0 generate either an output file or an action of the computer system; 

f) a step for iterating steps b) through e) until the scanning of all the records in the log 
file is complete. 

Another object is to provide great flexibility. 

This object is achieved through the fact that the method uses a temporal logic for the 
1 5 formulation of the specification. 

According to another characteristic, the table is a matrix and is indexed in columns by 
the subscripts of the formulas appearing in the negative part of the Horn clauses, and the lines 
are the Horn clauses exactly. 

According to another characteristic, the table is preferably represented in the form of a 
20 sparse matrix, the columns being represented by means of chained lists and the lines 
remaining implicit. 

According to another characteristic, an optimization of the expansion of the formulas 
is obtained through a hash table in order to ensure that the same formula is not expanded 
more than once in each record. 
25 According to another characteristic, the log file is scanned only once from beginning 

to end. 

Another object is to offer a device that makes it possible to implement the method. 

This object is achieved through the fact that the high-performance specification 
resolution device comprises: 
30 - an adapting means for translating the information from the log file formulated in the 

specific language of the machine into a language comprehensible to an interpreting means; 

- the interpreting means receiving the information from the adapter and receiving the 


2 


formulation of the specification in the temporal logic in a specification formula in order to 
expand this formula and fill in the table and the stack of worked subformulas stored in a 
memory of the computer system and resulting from the scanning of the computer system's log 
file; 

5 - a clause processing algorithm executed by the computer system, which makes it 

possible to resolve the Horn clauses using the information from the table and the stack of 
worked subformulas, this clause processing algorithm generating an output file or generating 
an action. 

Other characteristics and advantages of the present invention will emerge more clearly 
10 through the reading of the following description, given in reference to the attached drawings, 
in which: 

- Fig. 1 represents a schematic view of the hardware and software elements that make 
it possible to implement the method. 

- Fig. 2 represents the contents of the table, of the counters of the formulas or 

15 subformulas present in the negative parts of the clauses, and of the stack, and their evolution 
during the implementation of the method. 

Fig. 1 represents the elements required to implement the method according to the 
invention. The log file (1) is generally present in all the machines and can be the network log 
file when the machine is connected to a network, or a system log file, or any other file in 

20 which one wishes to verify a specification. A machine is understood to mean a computer 
comprising storage means, means for reading and for executing a program, and means for 
interacting with a user (for example screen, keyboard, mouse) and means for connecting to 
the network. This file communicates with an adapter (2), which is a software program for 
translating the information contained in the log file and expressed in the specific language of 

25 the machine into a high-level language understandable by an interpreter (3). The interpreter 
(3) also receives from a module (4) the formula of the specification to be verified, expressed 
in a temporal logic. This interpreter (3) performs the expansion of the formula into 
subformulas and the scanning of each record Ei (Annex 2) of the log file (1) in order to 
generate, by means of this expansion and this scanning, a resulting table and stack expressing 

30 Horn clauses stored in a memory (5). The concept of a Horn clause is well known to one 
skilled in the art, and is described for example in Goubault-Larrecq, Jean and Mackie, Ian, 
"Proof Theory and Automated Deduction," published by Kluwer, 1996). This table and this 


stack are used by a clause processing algorithm (6), which receives a start order from the 
interpreter (3) once the latter has filled in the table (5) containing a table of counters (7) and a 
stack (1 8), after having scanned all the records Ei of the file. This algorithm will look for the 
resolution of the specification for all of the records. When the completed scan of the record 
5 file (1) is detected, the clause processing algorithm generates either an output file or an action 
of the system or the machine. 

In an optimization of the method according to the invention, the phase for filling in 
the table (5) and the stack (18) and the phase for processing the clauses are performed 
concomitantly, so that the clause processing algorithm can generate the output file or the 
10 action of the system or the machine as soon as possible, and generally before the detection of 
the completed scan of the record file (1). 

To provide a better understanding of the method implemented, the latter will be 
explained with the help of an example whose formulas appear in an annex at the end of the 
specification. First of all, a log file is a set of records E = El, ... EN), as represented in Annex 
15 2. Each record Ei comprises a certain amount of information such as the date, the operation in 
question, the machine, a result, a subject, this list being non-limiting. 

Thus, El indicates that the machine user has tried to connect but has failed. 
To formulate a specification, as represented in Annex 1 , that can be detected or 
resolved, a specification formula in a temporal logic is used. This formula is described 
20 according to the following formula production in the grammar of the BNF format well 
known to one skilled in the art (Aho, Alfred V., Sethi, Ravi and Ullman, Jeffrey D., 
Compilers: Principles, Techniques and Tools, Addison- Wesley, 1986): 
formula ::= atom 
I formula a formula 
25 | formula v formula 

I formula U formula 
| formula W formula 
atom ::= record 

| (formula) 
30 | - atom 

I O atom, the next line exists and in the next line, the 
atom is true 
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I 6 atom, if the next line exists, then in the next 
line, the atom is true 

1 0 atom, there exists a line, either the current line or a 
subsequent line, the atom is true 
5 I atom, for all the lines starting with the current 

line, the atom is true 

The operators between formulas are the operator "a" for expressing a logical "AND", 
"v" for expressing a logical "OR", "U" for expressing the formulation "until", and "W" for 
expressing the formulation "waiting for", "O" for expressing the formulation "on the next 

10 line, which exists", "6" for expressing the formulation "on the next line, if it exists", "0" for 
expressing the formulation "on the current line or on a subsequent line", " " for expressing the 
formulation "on the current line and on every subsequent line." This notation is well known to 
one skilled in the art, (see for example Manna, Zohar and Pnueli, Amir, The Temporal Logic 
of Reactive and Concurrent Systems Specification, Springer, 1992). Thus, the temporal 

1 5 formulation F = Fl W F2 allows for an easy formulation of a specification to be verified. 

Let us assume that the operator has entered, by means of a man-machine interface (4) 
that allows the generation of a temporal formula, a temporal formula like the one appearing in 
Annex 1. 

The interface (4) will translate this formula in Annex 1 into a temporal formula where 
20 F and H are atomic formulas in which F represents {op = "connection", result = "failed", etc.} 
and H represents {op = "connection", result = "success", etc. Furthermore, let us assume that 
the log file (1) contains the records El through E3 represented in Annex 2. 

First, the interpreter (3) performs an expansion of the formula for each record El, E2, 
E3, as represented in Annex 6, by generating subformulas for each record in order to deduce 
25 from them Horn clauses that express the logical implications that exist between a formula and 
its subformulas, and the possibility of satisfying the atomic formulas, as represented in Annex 
6. Thus, for the record El, the formula is expanded into the subformula F to which the clause 
(/ 2 ) corresponds, into the subformula OH to which the clause (/ 2 )a(/ 3 )^-(/ 1 ) corresponds, etc. 
The interpreter (3) includes an optimization procedure that makes it possible to eliminate the 
30 redundancies and the unnecessary steps from the table of Annex 6, and after optimization, the 
interpreter will retain only the clauses generated that correspond to the table of Annex 7. To 
facilitate the understanding of the table of Annex 7 or the table of Annex 6, the notation OH 
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means: "There exists a line, either the current line of the record or a subsequent line, in which 
the formula H is verified"; in order to verify whether F a OH is true in the record El, the pairs 
(formula, record), called configurations, are numbered; in the example, the pair (F a OH, El) 
is numbered (1). The interpreter (3) expands the formula F a OH in the record El into the 
5 formulas F and OH. The pair (F, El) is numbered / 2 , the pair (OH, El) is numbered / 3 , and 
the interpreter generates the clause (/ 2 ) a (/ 3 )— K/i), which expresses that if the configuration 
f 2 and the configuration / 3 are verified, then the configuration /, is verified, which means that 
F is verified in the record El . O(0H) means : "the next line of the record exists and in the next 
line OH is true," which corresponds to the configuration f 6 for the first record. The formula 

10 HvO(OH) means "H is true or the next line of the record exists and in the next line, there 
exists a line, either the current line or a subsequent line, in which H is true," which 
corresponds to the configurations (/,) for the record El, (f 9 ) and (f u ) for the record E2 and 
(/ 19 ), (/ 23 ) and (/ 28 ) for the record E3. The set of horn clauses appearing in the right-hand part 
of the table of Annex 7 is stored in the table (5), in the counter (7) and in the stack (1 8) 

1 5 represented in Fig. 2, in the following way. The columns of the table (5) are indexed by the 
subscripts (/ 2 ), (/ 3 ), (/ 4 ), (/ 5 ), (/ 6 ), (/ g ), (/„), (/ 12 ) of the formulas appearing in the negative 
part of the clause. Only the subscripts that implicate a conclusion are saved. The lines of the 
table (5) are indexed by the subscripts (/j), (/ 3 ), (/ 7 ) of the formulas appearing in the positive 
part of the clause. The negative part of the clause is the part located to the left of the 

20 implication arrow, which will hereinafter be called the implicating subformula(s). The 
positive part is to the right of the arrow and will be called the implicated formula. This 
representation is not limiting, and the representation in the form of a sparse matrix, the 
columns being represented by means of chained lists and the lines remaining implicit, is 
preferred. However, to provide a clear understanding of the invention, the latter will be 

25 explained using the notations of Fig. 2. To explain the notation of the table 7, the clause (/ 2 ) 
a (/ 3 )— K/i) means that if the configuration f 2 is verified and the configuration / 3 is verified, 
then the configuration f x is verified. The clause f 7 —> f 3 means that if the configuration / 7 is 
verified, then the configuration / 3 is too. Furthermore, during the expansion of the formulas 
by the interpreter (3), the latter stored in a stack (18) the positive clauses corresponding to the 

30 formulas that can be satisfied. Thus, at the end of the expansion, the formulas f 2 and / g are in 
the stack (18j), as shown in Fig. 2, and the table of the counters of negative literals in the 
clauses of the table is constituted by the information represented by the reference (7j) in this 


figure. In the resolution phase, the clause processing algorithm (6), when it is activated by the 
interpreter once the latter has filled in the tables (5, 7 and 18), after having examined the lines 
of the records in the log file/will begin by examining the top of the stack (18) and extracting 
from it the information that the configuration / 8 , in this case, is satisfied. The algorithm then 
5 examines, in the table (5), the clauses that have this configuration in the negative part, in this 
case the configuration f 7 , and deduces from them the counter that it must decrement. The 
counter (7 2 ) represents the evolution in the counter (7{) of the counter that is associated with 
the formula represented in the positive part. The algorithm decrements the corresponding 
counter, in this case that of the configuration f 7 , and places at the top of the stack the value 

1 0 "7" of the configuration that is true, as shown in the box (1 8 2 ), which represents the evolution 
of the stack (18), while the column (7 2 ) represents the evolution of the counter. Next, the 
clause resolution algorithm will proceed by iteration, searching for the clauses that have the 
configuration / 7 in the negative part in order to deduce from them that the configuration / 3 is 
true and decrement the counter corresponding to this line of configurations, as shown in the 

15 column (7 3 ). The algorithm (6) continues in this way until the stack (1 8) is empty or contains 
configurations already processed, and the only configuration f x that verifies the specification 
is obtained in the stack (18 5 ). 

The expansion algorithm avoids unnecessarily replicating identical configurations, 
represented by their pointers, by establishing a hash table. The hash table data structure and 

20 the associated algorithms are well known to one skilled in the art, (see for example Knuth, 

Donald Erwin, The Art of Computer Programming, Vol. 3, "Sorting and Searching," Addison- 
Wesley, Second Edition, 1998). 

Furthermore, it is also possible to achieve optimizations in the expansion of the 
formulas, in order to avoid several steps. Thus, instead of expanding the formula OF into 

25 FvO(OF), then into F and O(0F), and then into OF in the next state, it is expanded directly into 
F and into OF in the next state. Likewise, when there is a formula of the type FaG where 
either F or G can be evaluated as false in the current state, the expansion of the formula is 
halted. The method developed by the invention has an advantage over the known method of 
the prior art, in which a truth table like the one represented in Annex 4 is first established for 

30 each atomic formula, then secondly, truth tables (Annex 5) are established for the non-atomic 
subformulas using the truth table of Annex 4. The model verification is then performed in two 
stages. First, it verifies whether the atomic formulas are true or false, which requires a 
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scanning of the states for each formula, then secondly, in order to establish the truth of the 
subformulas, it is necessary to see how each atomic formula behaves in each state, which 
amounts to performing several scans of the records. This means performing backward returns 
in the log file with all the ensuing read and set operations which, given the large size of a log 
file, can be very time-consuming. The method developed by the invention is much more high- 
performance and economical, in terms of size and the memory required to store the 
intermediate states. 

To provide a better understanding of the algorithm, we will describe it briefly, then 
present it formally. 

The specification file, F s , is considered to be a finite set of formulas F s whose syntax 
and semantics are defined above. Let us use the notation F for the set of all the formulas 
whose syntax and semantics are defined above, and {R„ ^^^(with N equal to the number 
of records in the file) for the log files. Log files are files that record everything that happens 
in a system (for example, a file that traces the users' connections to and disconnections from 
the machines). A record is a function R with a finite domain and codomain from £* to S*, or 
the set of character strings 

R: Z* s 2* 

Let us use the notations dom(R) and codom(R), respectively, for the domain of R and 
the codomain of R. 

Example 1 (record) Let us consider the record R of a log file: 
Date = 02:27:2000, operation = connection, machine = papillon, 

result = success, subject = Machine 
we then have: dom(R) = {date, operation, machine, result, subject} 
where dom(R) is the domain and codom is the codomain 
codom(R) = {02:27:2000, connection, papillon, success, Machine}, and 
R: I* -» Z* 
dates 02:27:2000 
operations connection 
machines papillon 
results success 
subjects Machine 

A log file is therefore a (finite) set of records Rj, R\ N \ . 


Let "Current" and "Next" be sets of formula representations (in the remainder of the 
description, "formula" will be used to mean "formula representation"); Current is the set of 
formulas to be examined in the current state and Next is the set of formulas that must be 
examined in the next state. 
5 In each state, the set "Current" is the union of the set "Next" and the formulas F s 

associated with the current state. That is what step 2) of the algorithm says. 
The current state is represented by the integer i; 1 < i < | N | . 

The "log" file is scanned in one pass, and during this scan, in each state, i.e. in each 
record of the file, the formulas of the set Current that are verified are revealed, and those that 
10 contain future operators are added to the set "Next" so they can be examined in the next state. 
That is what the "Expand' procedure in step 3) of the algorithm does. This procedure extracts 
the subformulas from each formula recursively, stores the logical implications that concern 
them in the form of Horn clauses in a matrix M (for example, for a formula F = F, a F 2 , we 
have the clauses F, — > F and F 2 F), and for those that are atomic, if they are verified in the 
15 current state (which is what the "match" procedure appearing in "Expand" looks for), it stores 
them in a stack {Stack), which is a stack of formula representations. Once all the formulas 
have been expanded in the current state, those that are resolvable are resolved with the help of 
the matrix and the stack (this is what the "resolve matrix" procedure in step 4) of the 
algorithm does). Thus, as a result of the atomic formulas that have been resolved and the 
20 clauses, all the formulas that are verified are stored in the file "ResForm" (which is a set of 
formula representations). 

These steps are iterated until the end of the "log" file (as seen in step 4) of the 
algorithm). Finally, when the entire log file has been scanned, the "Satis" procedure of step 5) 
compares the formulas of the file ResForm, which are all formulas verified in a certain state 
25 but which are subformulas of formulas of the specification file, to the formulas of the 
specification file, in order to see which ones are verified, and in which state(s). 
Here is the algorithm itself: 
1) / = 0; 

Current:= 0; 
30 Next:= 0; 

ResForm:= 0; 
Stack:= stack_empty; 
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M=(); 

2) Currenf={Repr(F, i)/F e F s } U Afert; 

where Repr(F, i) is a stored representation of F in the z state 
Nexf= 0; 

3) if Current * 0 them 
let / e Current; 
Current:= Current\{f}; 
Expand(f); 

4) resolve matrix; 

if/< lisr I 

then z:= z" + 1 ; 
go to 2): 
otherwise go to 5); 

5) Satis; 

We will now define the various procedures used in the algorithm. 
"Expand(f)" procedure, where / is a formula representation. 
For greater clarity, this procedure will be presented with the help of a table whose 
meaning will now be explained: 

- the "Formula" column is exactly: form (f), i.e., the formula represented by /, 

- the "Current" (or respectively, "Next") column designates all the formula 
representations that have been added to the "Current" (or respectively, "Next") set, 

- the "Clause" column designates the clauses that are stored in the matrix with the 
insert _clause procedure described below; 

- the formula representations added to the "Current" set are in turn expanded 
recursively; 

- the atomic formulas and the formulas with the form ->F„ where F, is an atomic 
formula, are processed separately: if the atomic formula corresponds to the current record 
(match | record) (the "match" procedure is defined below), then this formula is verified in the 
z state; if the atomic formula F } does not match the current record, then ->Fj is verified in the i 
state. More formally: 

\iform(f) is an atomic formula, 
if match(f) = TRUE 
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then Stack = Stack(Stack, f); 
If form(f) has the form - , F / , F, being an atomic formula, 
let f J =Repr(F 1 , i); 
if match(f,) — FALSE 
then Stack = Stack(Stack, f); 


Formula 

Current 

Next 

Clause 

F lA F 2 

f,=Repr(F„i) 
f 2 = Repr(F 2 , i) 


iiAfi^j 

F,VF 2 

i,=Repr(F„ i) 
f 2 = Repr(F 2 ,i) 


fx^f 

OF, 


/, = Repr(F„ i + 1) 

fx^f 

OF, 


/, = Repr(F„ i + 1) 
si / * | N| (*) 

/]->/ 

OF, 

f, = ReprfF, i) 

f 2 = Repr(OF„ i + 1) 

fl ~ *■ / 
fl~*f 

F, 

/, = ReprfF,, i) 

f 2 = ReprfOF,, i + 1) 

f l A f 2 ->. f 

Fj UF 2 

/, = ReprfF, A 0(F, U 
F 2 ), i) 
f 2 = Repr(F 2 , i) 


/,_)./ 
f 2 ->f 

F, WF 2 

f x = ReprfF „i) 
f 2 = ReprfF, U F 2 „ i) 


fx^f 
h~*f 

-(F 2 A 

U=Repr(-F 2 v^F 3 ,i) 


fx~*f 

- (F 2 VFJ 

f x =Repr(^F 2 A -F„ i) 


fx^f 

-(-FJ 

f x = ReprfF 2 ,i) 


fi~+f 

-(OF J 

/, = Repr(0(rF 2 , i) 


fx~>f 

-(OF 'J 

/, = Repr(Q(rF 2 , i) 


fx~>f 

-(OF J 

U=Repr((^F 2 , i) 


fx^f 

-(.FJ 

f x =Repr(0{rF 2 , i) 


fx~*f 

-(F 2 UFJ 

U=Repr((-F 3 , i) 
f 2 = ReprfF \U(rF 2 , A , 
FJ, i) 


fx~*f 

f 2 ^f 

^(F 2 WFJ 

F,=Repr(f^FJ U^F* 
A-FJ, i) 


fx^f 


*: otherwise, i.e. if / = | N | , 
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f,=Repr(Fj,i) 

Stack = Stack(Stack, /,); 


"match(f)" procedure, where / is a formula representation 

5 In the case of formQ: 

- if it has the form {id x = X x , id n = t„, ...}, then: 

- if Vj, l<j<n, id, e Dom(R,), and match-term 
(Rz(id/),t/,/) 

- then TRUE 

10 - otherwise FALSE 

- if it has the form {id! = t l5 icL, = t„, ...}, then: 

- if n = | domRj) | and j, l<j<n, id, e Dom(Rj), 
and match-term (R/(id/), tj, f) 

- then TRUE 

15 - otherwise FALSE 

- "match-term" procedure (w, t, f) where w, t e S* U V and / is a formula 

representation: 
in the case of t: 
20 - if t is a regex: 

-ifReg(w,t) 

- then TRUE 

- otherwise FALSE 

- if t is a variable x: 

25 Notation: p(x) is a partial function of the set of variables V to the set of character 

strings E* 

- if p(x) is defined 

- if p(x) = w 

- then TRUE 

30 - otherwise FALSE 

- if p(x) is not defined, then 
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Notation: E is the environment constituted by the pairs whose first component is taken 
from the set of variables and whose second component is taken from the set of character 
strings 

E: = Eu{(x,w)}; 

- TRUE; 

Insert-clause procedure (H), where H is a Horn clause having one or two formula 
representations in the negative part: 

Notation: If M is a matrix m x n, m, n <= N, let m,^ be the element of the i* line 
indexed by /, and likewise m^, and m /1 >/2 

In the case of H: 

- if H has the form /, -> /, then 

- if there already exists a column of M indicated by /, 

- then add a line indexed by / with m £ n = 1 ; 

- otherwise, add a column indexed by / and a line indexed by f x , with m f fl = 
1; 

- if H has the form f x A f 2 , then: 

- if neither /, nor f 2 is an index of any column of M 

- then add 2 columns indexed by /] and f 2 and a line indexed by / with 

m /,/i =m /,/2=2 

- if only one of the / i3 i = 1 ,2 is not an index of a column of m, then: 

- add a column indexed by / ; and a line indexed by / with m f fi = m f Ji = 2, 
where j e {l,2}\{i} 

- if /, and / 2 are indexes of columns of M, then: 

- add a line indexed by / with m f fl = m f f2 = 2 

resolve-matrix procedure 

- if Stack = stack-empty, then nothing; 

- otherwise, let /:= pop(Stack); V, such that m ; f is the element that exists then: 

- m l/ = m i/ -l; 

- Vj such that exists, then: my := m^-1 

- if m ;J = 0, then; 
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- let /, be the index of the line m^ 

- if f l £ Res-Form, then: 

' - Stack:= stack(Stack, /,) 
- Res-form:=Res-Form U {/J 

- dele (ni; J); 

- if the i* line, delete it; if the column indexed by / is empty, delete it 

Satis: 

If Stack stack-empty then: 

- let f l = pop(Stack); 

-if/, e F s , then form(/) is verified in the state state(/) 
It should be clear to those skilled in the art that the present invention allows 
embodiments in many other specific forms without going outside the field of application of 
the invention as claimed. Consequently, the present embodiments should be considered as 
examples, but can be modified in the field defined by the scope of the attached claims. 
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ANNEX 


Annex 1 

{op = « connection », result = « failed »,...} 

and later {op = « connection », result = « success »,...} 

Annex 2 

El : {op = « connection », result = « failed » , subject = « machine »} 
E2 : {op = « connection », result = « success », subject = « machine », 

date = « 09 : 14 : 99 »} 
E3 : {op = « exec », result = « success », object = « emacs », mode = « tex 
subject = « machine »} 

Annex 3 

F A 0 H where F and H are atomic formulas for detecting events expressed 
temporal logic from atomic formulas. 

El : {F} 
E2 : {H} 
E3 : {G} 

Annex 4 


STATES 

F 

H 

El 

1 

0 

R2 

0 

1 

R3 

0 

0 


Truth tables of the atomic formulas 
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Annex 5 


STATES 

OH 

F A 0 H 

El 

1 

1 

E2 

1 

0 

E3 

0 

0 


Truth tables of the non-atomic formulas 


Annex 7 


STATES 

Formulas et subformulas 

Clauses generated 

El 

F A 0 H 


(A) 



(/i): 

F 

(/ 2 ) 

(/ 2 ) 



OH 

(/ 3 ) 

C/ 2 )A(/3) -K/,) 


(/ 3 ) 

H 

(/ 4 ) 

(/ 4 ) ->FALSE 

E2 

F A 0 H 


(/ 6 ) 



(/ 3 ) 

OH 

(A) 

(/7)->(/ 3 ) 


(/v) : 

H 

(/s) 

(fs) 


Us): 

F 







(/ 6 )->FALSE 

E3 

F A 0 H 


(/,o) 



CA) 

OH 

(/n) 

(/n)^(/v) 


(/n) : 

H 

(/i 2 ) 

(/ 12 ) -►FALSE 


(/io) : 

F 

(/») 

(/„) ->FALSE 
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Annex 6 


Formulas et subformulas 


Clauses generated 


F A 0 H 

(A): 


(A): 
(A): 


F 
OH 
H V O (0 H) 


0( OH) 


(A) 
(A) 

(A) 
(A) 

(A) 


(A) 


F A 0 H 

(A) 

(A): 
(AA 


(/, 3 ): 
C/m): 


(OH) 
H VO(OH) 
H 

O(0H) 


(A) 
(A) 

(A) 

(Ac) 

(A,) 

(A.) 
(/is) 

(/.s) 

C/l6) 


F A 0 H 

(/n) : 
(/ 18 ) : 
(/„) : 


(/n): 


(OH) 


(/ 27 ) : 
(As) : 


H V O (0 H 


0(0 H) 

F 
OH 
H V O (0 H) 
H 


(At) 
(As) 

(A.) 

(Ao) 

(AO 

(/ 22 ) 
(A 3 ) 
(A 4 ) 


CAs) 

(/*) 

(/ 27 ) 

(/ 2 s) 

(/») 


(/ 3 o) 


(/ 2 ) 

(A)A(A)^(/>) 

(A)-> (A) 
(A) -K/*) 

(/ 5 ) — »FALSE 
(A)->CA) 


(A)^(A) 
(A) -> (A) 
(/.o) -> CA) 
(/ 10 ) 

(A,)-> (A) 

(/i 2 )-> FALSE 

(/ 12 )A(/ 13 )^(/ 7 ) 

(/ 14 )^(/ 13 ) 

C/l5)-> (/u) 
(A 5 ) 

(A 6 )^(/. 4 ) 


(A«)-KA.) 
(As) -►(/,.) 
C/ 2 o) ->(/.,) 
(J 20 ) ->FALSE 

(/ 2! ) ->(A 9 ) 
(A 2 ) -KAe) 
(/ 23 ) ->(/ 22 ) 
(/ 24 ) ->(/*) 
(/ 24 ) FALSE 

(/ 25 )^(/ 23 ) 
(/ 25 ) -^FALSE 
(/ 26 ) — >FALSE 
(/ 26 )A(/ 27 )^(/ 17 ) 
(A.) -*A 7 ) 

(As) -KAs) 

(/ 29 ) ->FALSE 
(/ 3 o) ->(/ 28 ) 
(Ao) ->FALSE 
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CLAIMS 


1 1 . High-performance specification resolution method characterized in that it 

2 comprises: 

3 a) a step for formulating the audit conditions one wishes to detect using specification 

4 formulas expressing fraudulent entry or attack patterns or abnormal operations, this being 

5 non-limiting, to be verified by examining the records of the computer system's log file; 

6 b) a step for expanding formulas into subformulas; 

7 c) a step for scanning by an interpreter, which consists of generating, for each 

8 expanded formula in each record, Horn clauses to resolve in order to detect whether or not the 

9 formula is valid in this record, the Horn clauses expressing the implications resolvent of the 

10 subformulas for each record scanned, in positive clauses, i.e. counting only a positive literal, 

1 1 and in non-positive clauses, i.e. counting at least one negative literal, which negative literals 

12 form the negative part of the clause; 

13 d) a step for the storing positive Horn clauses in a stack of worked subformulas, and a 
.. 14 step for storing, in a table comprising a representation, the implicating subformula(s) 

1 5 constituting the negative part of the clause and the link with the implicated subformula(s) 

1 6 constituting the positive part of the clause, and storing in a counter the number of formulas or 

17 subformulas present in the negative part of the clause for each implicated subformula; 

18 e) a step for resolving the table based on each positive clause encountered, so as to 

1 9 generate either an output file or an action of the computer system; 

20 f) a step for iterating steps b) through e) until the scanning of all the records in the log 

21 file is complete. 

1 2. Method according to claim 1, characterized in that a temporal logic is used for 

2 the formulation of the specification. 

1 3. Method according to claim 1, characterized in that the table is a matrix and is 

2 indexed in columns by the subscripts of the formulas appearing in the negative part of the 

3 Horn clauses, and the lines are the Horn clauses exactly. 

1 4. Method according to claim 1, characterized in that the table is preferably 
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2 represented in the form of a sparse matrix, the columns being represented by means of 

3 chained lists and the lines remaining implicit. 

1 5. Method according to claim 1 or 2, characterized in that a step for optimizing 

2 the expansion of the formulas is obtained through a hash table in order to ensure that the same 

3 formula is not expanded more than once in each record. 

1 6. Method according to claim 1 , characterized in that the log file is scanned only 

2 once from beginning to end. 

1 7. Computer system comprising storage means and means for executing 

2 programs for implementing the method according to any of claims 1 through 6, characterized 

3 in that the system comprises: 

4 - an adapting means for translating the information from the log file formulated in the 

5 specific language of the machine into a language comprehensible to an interpreting means; 

6 - the interpreting means receiving the information from the adapter and receiving the 

7 formulation of the specification in the temporal logic in a specification formula in order to 

8 expand this formula and fill in the table and the stack of worked subformulas stored in a 

9 memory of the computer system and resulting from the scanning of the computer system's log 

10 file; 

11 - a clause processing algorithm executed by the computer system, which makes it 

1 2 possible to resolve the Horn clauses using the information from the table and the stack of 

13 worked subformulas, this clause processing algorithm generating an output file or generating 

14 an action. 
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ABSTRACT 


' Applicants: BULL S.A. and INRIA 
Inventors: Jean GOUBAULT-LARRECQ 
Muriel ROGER 

The present invention relates to a method and device for model resolution and its use 
for detecting attacks against computer systems. 

The device comprises adapter software for translating the information from the log 
file, formulated in the specific language of the machine, into a language understandable by 
the interpreter, an interpreter receiving the information from the adapter and receiving the 
formulation of the specification in the temporal logic in a specification formula in order to 
expand this formula and fill in the table and the stack of worked subformulas described above 
resulting from the scanning of the machine's log file, and a clause processing algorithm for 
resolving the Horn clauses using the information from the table and the stack of worked 
subformulas, this clause processing algorithm generating an output file or generating an 
action. 

Fig. 1 
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